Cetus Protocol Exploit Analysis

Summary

On May 22, 2025, Cetus Protocol, the largest decentralized exchange (DEX) on the Sui Network, was exploited, resulting in approximately $223 million in losses due to a mathematical flaw. By using a single SCA (Single Collateral Asset) token and carefully selected tick ranges, the attacker drained liquidity pools. While $162 million was quickly frozen by Sui validators, over $60 million was bridged to Ethereum and subsequently converted into approximately 21,000 ETH.

Cetus Protocol is a leading DEX on the Sui Network, known for providing high-performance, cost-effective token trading, leveraging advanced automated market-making (AMM) mechanics tailored for Sui’s scalable infrastructure.

However, on Thursday morning, the protocol was nearly left empty of its entire TVL across all pools, as an exploiter drained the protocol and dumped SUI tokens for USDC. The Sui ecosystem and Cetus team swiftly confirmed and publicly acknowledged the exploit. Sui validators implemented urgent mitigation measures, successfully freezing around $162 million on Sui, while approximately $60 million was bridged to Ethereum in batches of roughly $1 million each, mostly in USDC.

Sui validators identified the exploiter’s address and actively ignored its transactions.

Following the attack, Cetus, along with Inca Digital, announced a $6 million bounty proposal to the exploiter, offering no legal action if the funds were returned. As of now, the exploiter has not responded, and Cetus is working closely with SUI and various law enforcement agencies to retrieve funds.

Transaction Decoder revealing the on-chain communication initiated by Cetus Protocol with the exploiter. Tx. hash: 0xae4c0e656fcd893c3213a6dc28513153fc02df2ae14b7241e9029503fe90ccd0

Relevant Addresses

Cetus SUI Exploiter: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06

Cetus ETH Exploiter 1: 0x89012a55cd6b88e407c9d4ae9b3425f55924919b

Cetus ETH Exploiter 2: 0x0251536bfcf144b88e1afa8fe60184ffdb4caf16

Decoding the Exploit

The Cetus Protocol exploit occurred due to a vulnerability within its CLMM (Concentrated Liquidity Market Maker) contract, stemming from an unchecked overflow in the open-source integer_mate package (a math library commonly used in DeFi protocols to perform precision arithmetic operations). The attacker first executed a flash swap, temporarily suppressing pool prices. They then strategically opened a liquidity position spanning 200 ticks (price intervals within the liquidity range). By using just a single SCA (Single Collateral Asset) token, they manipulated the concentrated liquidity system to devastating effect.

Specifically, the flawed get_liquidity_from_a function allowed the attacker to inject enormous liquidity using only a minimal amount of tokens. Although an overflow check existed, it only verified the numerator. When the tick range is narrow, the denominator approaches zero, effectively allowing near-infinite amplification (dividing by nearly zero). As a result, one SCA token was able to generate an astronomical 10,365,647,984,364,446,732,462,244,378,333,008 units of liquidity.

The attacker took a flash loan of approximately 56,700 SUI, exploited the overflow to mint massive liquidity, withdrew the inflated liquidity, repaid the flash loan, and drained all illicitly generated profits — ultimately extracting $223 million.

In the next section, we will decode the on-chain activity using Blockscope forensic tools.

On-Chain Activity

After draining the Cetus Protocol, the Cetus SUI Exploiter started to convert the stolen SUI into USDC to access deeper liquidity and enable cross-chain transfers. Approximately $60 million in USDC was bridged from Sui to Ethereum using Wormhole and Circle, where it was then systematically swapped into ETH through various DeFi protocols. Our Tracer tool has visualized this movement on a graph, mapping the systematic flow of bridged funds on Ethereum and their conversion into ETH.

Blockscope Tracer shows the movement of bridged funds on Ethereum

Backtracing revealed that Circle’s CCTP was likely used to transfer USDC to Ethereum. Contract 0x8656d3703ecbc5f36a9668a4859a7f1138bab0b3 possibly acted as a shim, emitting messages and providing gas to Cetus Exploiter 1. While its exact identity remains unknown, it is likely tied to a third-party DeFi relay. Tracer analysis shows that its creator and funder were funded by Coinbase's hot wallets.

Blockscope Tracer graphs Relayer/Shim contract and it's associates.

Breakdown and Timeline

May 22, 2025 at 10:30 UTC

The exploit began with the CLMM contract being exploited, draining liquidity reserves. Approximately $223 million worth of tokens were compromised.

SuiVision shows Cetus protocol multiple AMMs were drained by Cetus SUI Exploiter.

May 22, 2025 at 10:47 UTC

Over $60 million was systematically bridged to Ethereum in multiple batches of a million each via Circle and Wormhole.

SuiVision shows bridging of funds to Ethereum.

May 22, 2025 at 10:48 UTC

Funds were received by Cetus ETH Exploiter 1, who converted the bridged USDC into approximately 21,000 ETH through various DeFi protocols like Cowswap and Paraswap.

Wallet Profiler shows token transfers of the Cetus ETH Exploiter 1.

May 22, 2025 at 12:31 UTC

ETH Exploiter 1 transferred a significant portion, approximately 20,000 ETH, to Cetus ETH Exploiter 2, which is currently holding the assets, valued at roughly $60–61 million.

Tx. hash: 0xcf5500862c1bf696e5a7acc29559e2a549497846280b8d8a5349a74941bc921a

Entity Interaction tool shows a single transfer of 20,000 ETH from Cetus ETH Exploiter 1 to Cetus ETH Exploiter 2.

May 22, 2025 12:50 UTC

Sui validators started voting on refusing to serve transactions signed by attacker’s addresses and effectively “froze” those addresses. Swiftly, the validators froze approximately $162 million to prevent further losses.

Frozen Address 1: 0xcd8962dad278d8b50fa0f9eb0186bfa4cbdecc6d59377214c88d0286a0ac9562

Frozen Address 2: 0xe28b50cef1d633ea43d3296a3f6b67ff0312a5f1a99f0af753c85b8b5de8ff06

Monitoring via Watchtower

Blockscope has activated its watchtower and is doing real-time monitoring of the two Ethereum exploiter addresses to track any subsequent movements or transactions made by Exploiter.

Link: https://www.blockscope.co/community/watchtowers/683537673593a981b24f78de

Shim/Relayer Contract Tracing

An intermediary shim/relayer contract 0x8656d3703ecbc5f36a9668a4859a7f1138bab0b3 funded the exploiter address with some gas and transmitted a message to mint USDC. Although benign in historical operations, including minor ETH gas funding and USDC minting, no direct malicious or definitive association with the exploiter or any specific DeFi protocol could be verified. This contract is likely a third-party bridging or routing service, potentially associated with Mayan Finance or another relay network, as nothing has been discovered that directly links it to Circle, but it appears to function as a message relayer for Circle CCTP and gas drop.

Cluster Analysis of the Ehereum addresses of Cetus Protocol Exploit

Conclusion

As of now, there have been no movements from the ETH exploiter addresses. Cetus Protocol is actively collaborating with law enforcement agencies and the Sui Network to pursue recovery efforts. The team initially offered a $6 million whitehat bounty to the exploiter for the safe return of funds, but after receiving no communication or response, the bounty has been converted into a $5 million open reward for anyone who can provide valuable information or assist in fund recovery.

This comprehensive investigation provides critical insights into the mechanics of the May 22 Cetus Protocol exploit and the subsequent cross-chain fund movements. Continued monitoring, forensic tracking, and close collaboration with security partners are essential to trace, contain, and potentially recover the remaining stolen assets.

The impact of this exploit has rippled beyond Cetus itself, affecting other decentralized exchanges (DEXs) on the Sui Network like Bluefin, Turboas Finance, and FLowX Finance, some of which were forced to halt operations or initiate emergency audits. Furthermore, many ecosystem tokens saw their values plummet by over 75% following the attack, underscoring the widespread market disruption it caused.

FlowX Finance is temporarily halting services to ensure user fund safety.

Notably, Cetus Protocol had undergone multiple rounds of audits, including one as recently as April by Zellic, yet the vulnerability still slipped through — a stark reminder that even well-audited protocols are not immune to sophisticated attacks. Moving forward, the Cetus team remains committed to strengthening its security posture and working alongside the broader community to restore trust and resilience in the ecosystem.

Investigation by: Tushar Tiwari, Analyst @ Blockscope

For more information, please reach out to us at [email protected]

Disclaimer: Best Effort Investigation

This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

  • The data used in this investigation may contain inaccuracies, omissions, or errors.

  • Information sources may be incomplete or subject to change.

  • New evidence may emerge that could alter the conclusions.

  • Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but we cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.

Last updated